I have a new SP 2010 web-application configured for Claims authentication, with both 'windows' and 'forms' authentication.

Initially, I created a root site collection, set a windows site-collection-administrator and logged in with windows authentication without problem.

Note: I did not 'extend' into another zone, I applied changes to the original web-app.

Then, I followed the process of updating all 3 web-configs (web-app, central-admin, token-service) , create the fba database and added fba admin-users. I have configured the secondary site collection administrator as a fba user.

When I go to the login page, I get the 'choose forms/windows' authentication. The FBA user logs in successfully, and as a site-collection-admin, can mange the site, add users etc.

When I choose Windows auth though, it does authenticate but redirects to the initial login-choice page with additional URL parameters including 'access denied'

When I update the providers and remove forms auth, then Windows does work properly

I am also having the same problem. But If I add all domain users group in USER Policy permission with Full read. Then I can log in with windows authentication. But even though after logging in site, their not getting their old permissions. How do you fixed your issue?
–
SreeOct 10 '11 at 13:57

1 Answer
1

My guess is that you didn't set claims provider to be default membership and role provider. This is common mistake and I reproduced exactly the same error on my machine.

After setting up FBA providers in web.config (most likely with IIS manager) in most explanations next step is to set FBA provider as default membership and role provider. This is 'required' because it is easiest way to add some user accounts to FBA. After that next logical step is that you immediately check if your newly created account can log on SharePoint. And everything works like a charm, but only because your site collection is not running claims but it is using only FBA provider. And that is why windows user cannot access site.

After removing FBA authentication from web application (in Central Administration) SharePoint automatically resets default membership and role providers back to claims so everything is again working as expected.

To avoid it you just need to recheck your default membership and role providers with IIS manager. When using claims default membership provider name is i and default role provider name is c. When setting providers to i and c IIS manager will inform you that your current provider is not trusted provider - there is nothing wrong here so just ignore it.

What you mean by rechecking providers in IIS manager. I have the same exact issue where users are being redirected to login page. However, I am using Windows & SAML/ADFS authentication. Can you please suggest? Thanks much in Advance!
–
Vishal PatelFeb 4 at 19:53